]]>Let’s admit it: We have all been completely and utterly duped into allowing ourselves to be constantly surveilled.

In other words, we’ve managed to find ourselves in a situation where nearly every conversation we have is within earshot of a microphone. And not just any microphone, but one that is connected to automated systems which can parse speech and make decisions.

I’m not just talking about smart speakers like Alexa. Phones and laptops are internet-connected recording devices that accompany nearly every American over the age of 13 almost everywhere.

To use their iPhones, some people are happy to trade an algorithm’s recognition of their faces for the convenience of not having to type in a four-digit code.

Are we really okay with this? Why aren’t people protesting in the streets?

Is it because the tradeoff is worth it? Is it because asking Alexa to tell you the weather, to play any music you can imagine, or to summon an NPR flash briefing on command is worth the risk of compromising our most private conversations?

Does the benefit of having the entire knowledge of civilization at your fingertips, the ability to communicate with anyone wherever you go, and other mind-boggling capabilities of an iPhone outweigh the risks of being constantly monitored?

Facial Recognition

Ubiquitous cameras and microphones are only part of our current exposure to monitoring. The other hazard is the proliferation of databases and algorithms that, for those who might benefit from them, may be too tempting to stay away from.

The city of Detroit is getting in on the action too: Its highly-touted Project Green Light crime deterrent program, which placed thousands of cameras around the city, has taken an Orwellian turn. The city is able to use software against 50 million photographs in drivers licenses and mugshots to identify people in and around the city.

Facial recognition, at this point, is for sale. Amazon offers it as a service called “Rekognition.” All you need is some cash and coding skills, and you can tap into this toolset yourself.

Digital Eavesdropping

If you unplug your Amazon Alexa because you’re concerned it could listen and record your conversation, you’re not being paranoid. You are being prudent.

It turns out Amazon is recording your conversations after all. Once you speak the “wake word,” it’s game on. The problem is, as anyone who owns one of these smart speakers will tell you, wake word recognition is not 100% reliable. Although Amazon continues to improve wake word reliability, the device can activate in unpredictable situations, and when it does, it records what it hears and sends it to Amazon for processing.

On one occasion, Amazon sent a recording of someone’s private conversation in an email to another customer. Oops! And in the pursuit of fine-tuning their voice recognition software, Amazon engineers routinely listen to conversations, often with location information associated with the originating devices.

If you’ve noticed that private conversations end up with suspiciously relevant ads on your Facebook feed, you’re not being paranoid. As covered in Vice, one cybersecurity expert concludes: “From time to time, snippets of audio do go back to other apps (like Facebook’s servers) but there’s no official understanding what the triggers for that are. Whether it’s timing or location-based or usage of certain functions, apps are certainly pulling those microphone permissions and using those periodically.”

Staying Safe

Awareness is half the battle. Every time you use a piece of technology that requires a camera or microphone, especially if it can be connected to the Internet, assume it can be used to monitor you.

Realize that if you have a lot of connected devices in your home or office such as Nest thermostats (a.k.a. Internet of Things), you’re under constant observation.

Unplug Alexa when you’re not using it. Don’t leave the device on all day long. And if you don’t want Amazon listening to your conversations to fine-tune their AI, prevent them from doing so by turning off “Help develop new features” and “Use messages to improve transcriptions.”

Get involved with your local politicians to limit or ban government use of facial recognition technology. San Francisco and Somerville, Massachusetts have blazed this trail, so you can learn from their examples—or move there.

Keep in mind that surveillance does not end with audio and video. What you click on and search is monitored as well. Google’s popular Chrome browser, which has the largest market share of any browser, allows for web trackers that surveil your surfing habits. Use this Duck Duck Go plugin for Chrome to increase your privacy when browsing.

]]>To say that law firms handle a lot of data would be an understatement. Firms must manage case information, communication records, and myriad documents shared with courthouses, notaries, and other legal entities. It’s almost impossible to conceptualize the physical space that would be required to hold this immense amount of documentation.

These logistical concerns (and technological shifts) have caused most firms to digitize their processes. While digitization solves plenty of challenges, it does create a few new ones — primarily with regard to cybersecurity and privacy.

In 2017, Washington, D.C., offices of DLA Piper were the unfortunate victims of Petya malware. The attack resulted in the entire firm shutting down global operations with weeks of disruption, millions lost in business and recovery costs, and painfully public press.

In general, 2018 was the year of the data breach — and confirmation that the legal industry hasn’t given data security the prioritization it deserves. Law firms are a prime target for cybercrime because of the amount of highly sensitive and confidential data they retain for their clients. This sensitive data is very valuable on the dark web.

Law firms have a solemn responsibility to protect client data as rigorously as possible. The American Bar Association’s professional code of conduct states that lawyers “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” For law firms, a data breach could result in regulatory fines and possible malpractice suits.

Protecting client data is a collaborative effort between the law firm and information technology professionals; hiring a cybersecurity professional is key.

The Obvious (and Hidden) Costs of Data Breaches

In January 2018, security researchers revealed that computer chips commonly used in devices from Microsoft, Amazon, Apple, and other major tech companies were vulnerable to hacking. These hardware flaws mean law firms’ sensitive data may, in turn, be vulnerable to malicious hackers.

Many firms face the additional complications of poorly patched operating and network systems, outdated firewalls, and equipment nearing the end of its lifecycle, increasing the risk of technical failure. These weak spots provide opportunities for cybercriminals to hijack communications or hack sensitive data. The threat is so extensive that a 2017 Ponemon Institute survey found that 69 percent of respondents viewed their company’s security infrastructure as outdated.

In addition to outside threats, law firms must also contend with employee-generated vulnerabilities. Even if a company implements a thorough security infrastructure, employees are still susceptible to phishing or malware attacks. PhishMe reports that an alarming 91 percent of hacks begin with phishing scams, often because employees have not received the necessary cybersecurity training.

Employee error can have severe consequences when client data is compromised. Firms may have to contend with lawsuits, reputational damage, and employee and client churn. This is all while coping with the financial costs of downtime, repairs, and data restoration. In the case of DLA Piper, it took the firm months to fully recover and cost millions of dollars between lost billables and recovery expenses.

The severity of a breach may seem abstract to people who don’t work in IT, but the financial consequences can cripple even the healthiest firm. For breaches involving 1 million to 50 million lost records, IBM reports that companies can face $40 million to $350 million in associated costs. Depending on the size of your firm — and data breach — one small oversight can be devastating from a financial and longevity standpoint.

Four Ways to Start Securing Sensitive Data

Fortunately, IT professionals have a firm grasp on properly safeguarding legal professionals and businesses. Here are some ways to take action:

1. Organize your data storage.

You cannot protect your clients’ data if you don’t know where it is. Cloud services have enabled users to store client data in multiple locations without IT’s knowledge. Choose one storage method, such as Microsoft SharePoint or Google Drive, and implement firm-wide consistency.

Gaps between systems create unnecessary liabilities and inefficiencies, so having everyone work within the same structure will make it easier to retrieve and systematize data. More importantly, you’ll only need to monitor one system for security updates and potential breaches. Cloud providers like Microsoft have controls in place to encrypt data, monitor its use, and add digital rights to documents.

2. Implement managed security solutions.

Set up next-generation firewalls, spam filters, and anti-virus tools. These solutions will monitor your network activity and alert your IT team to malicious vectors and compromised devices. Considering the amount of data your firm generates and stores, you need solutions that continuously scan for potential threats.

3. Regularly train employees on security.

Turn your employees into assets rather than liabilities. Train them to spot phishing attempts and educate them on digital hygiene standards that will curtail the risk of a data breach. By cultivating your team’s awareness, you’ll decrease the likelihood hackers get anywhere near your client data.

4. Have a response plan in place.

Work with your IT and security teams to create data protection and recovery policies. Establishing a response plan well in advance of an attack can slash the time it takes to remediate a potential breach and recover lost time. Your response plan also should include a public relations strategy to minimize consequences such as client churn and a damaged reputation.

Cyber threats aren’t going anywhere—and hackers are constantly discovering new ways of accessing data. Law firms must protect client information, and the best way to do that is by empowering their IT teams to build a robust defense from the inside out.

]]>https://www.lawtechnologytoday.org/2019/07/four-ways-law-firms-can-safeguard-sensitive-client-data/feed/0Five Safety Tips for Digital Paymentshttps://www.lawtechnologytoday.org/2019/06/five-safety-tips-for-digital-payments/
https://www.lawtechnologytoday.org/2019/06/five-safety-tips-for-digital-payments/#respondTue, 18 Jun 2019 15:00:00 +0000http://www.lawtechnologytoday.org/?p=10389Digital payments in all its forms, be it contactless cards or online payments, provide a convenient alternative to customers to transact with the business.

]]>As consumers, most of us prefer the use of digital, card-based or online payments for our retail purchases because of the convenience and security they offer. The use of cheques for everyday transactions is just not the norm anymore. There is no reason why this should be different for customers of law firms. Customers assume and expect that they should be able to pay for professional services using the same modes of payment that they use for retail transactions. Thus digital payments have become a business necessity for law firms and independent lawyers alike.

As mentioned in one of our previous articles, allowing clients to pay using credit cards or pay online, not only helps to better manage the accounts receivables processes but also helps in getting paid faster. Efficiency and increased cash flow are the main drivers for implementing new-age payment systems in your law firm. The payments and customer data security rules and regulations that govern other businesses, however, become even more stringent when it comes to the legal industry. With this in mind, we look at the top five tips for securely supporting digital payments in your law business.

Compliance

Different rules and regulations apply to Law firms operating under different jurisdictions. With respect to payments, it is usually mandatory to comply with the Payment Card Industry Data Security Standards (PCI DSS). A third party service may be engaged to verify your PCI compliance. To ensure PCI compliance, procedures need to be established to protect files with sensitive information. In Europe, it is necessary to ensure that your payment service provider meets the GDPR requirements as stated in this infographic.

Online System Safety

When creating an online integrated system that accepts payments on behalf of your firm, you need to ensure that the system is hosted on a secure environment. Small businesses may often tend to overlook the security aspect thinking that they won’t be targeted, but petty hackers are more likely to target them for the same reason. Ensure that the hosting provider for the system has the correct practices and safeguards in place Also ensure that the site is protected by Secure Socket Layer (SSL) to encrypt any data exchange between the system and external parties.

Human factors

In order to fully incorporate the digital payments culture in your firm or organization, it is necessary to educate all employees especially those responsible for handling payments regarding the safety measures required. Simple steps like password protected devices, secure and updated software, use of VPN’s, securing USB’s and other storage in the workplace etc., can go a long way in protecting customer data.

Two-factor authentication

Two-factor authentication is the recommended best practice to be used by both parties when making payments. This protects against data loss and fraudulent transactions caused due to identity theft. Customers need to secure their online and mobile payment transactions using two-factor authentication. Online systems accepting the payment needs to ensure that data required for two-factor authentication is captured and verified for every new customer, in the form of mobile phone numbers, email Ids or biometric information depending on the mode of payment.

Customer Data Protection

With respect to payments, there is no real need to store customer account information or card details long term. The best way to protect the customer data is not to store it in cases where it is not required. In situations where it needs to be stored, it should be encrypted and stored on a private network with limited access for authorized personnel. A trusted third party payment partner may be engaged to ensure the collection and transfer of payments as well as storage of the required payment data.

Conclusion

For any customer-driven business, it is certainly beneficial to think of the customers’ needs first. Digital payments in all its forms, be it contactless cards or online payments, provide a convenient alternative to customers to transact with the business. The onus of ensuring the security of the payment system implementation lies in the business. Therefore it is recommended to use tried and tested industry best practices as listed above when implementing the latest digital payment technology in your firm.

]]>https://www.lawtechnologytoday.org/2019/06/five-safety-tips-for-digital-payments/feed/0The Importance of Cybersecurity Standards in the Legal Field: What is “NIST”?https://www.lawtechnologytoday.org/2019/06/cybersecurity-standards-in-the-legal-field/
https://www.lawtechnologytoday.org/2019/06/cybersecurity-standards-in-the-legal-field/#respondThu, 13 Jun 2019 15:00:00 +0000http://www.lawtechnologytoday.org/?p=10382To better protect sensitive information and law firms should implement cybersecurity standards that are appropriate for the needs of their practice.

]]>Legal services rely significantly on knowledge and information. In addition, the attorney-client relationship cannot exist without confidentiality and privacy. For these reasons, the protection of sensitive communications and information is paramount to the legal profession.

In fact, according to the 2016 ABA Legal Technology Survey Report, 30.7% of all law firms and 62.8% of firms with 500 lawyers or more reported that current or potential clients made specific security requirements a part of their client agreements. Other law firms reported that corporate clients wanted access to the cybersecurity plans and prevention procedures implemented by the firms.

To better protect sensitive information and maintain privacy in an increasingly digital world, lawyers should know about and law firms should implement cybersecurity standards that are appropriate for the needs of their practice.

Many recent articles have documented the significant extent to which law firms are a prime target for cyber attack because they “house some of the world’s most valuable secrets.” Everything from trade secrets, to sensitive “market moving” information about a company’s finances, to healthcare information, and other sensitive non-public information occupy a law firm’s servers and data centers.

The cybersecurity practices of law firms are not directly regulated by the federal government. However, the specific nature of legal work performed by lawyers in the law firm, and the varied needs of clients in specific industries that are subject to cybersecurity regulation by the federal government, makes the delineation murkier.

Because the protected information may be transferred or made available to a lawyer as part of the lawyer’s representation, lawyers and law firms that regularly represent subject entities may in turn be required to comply with the same or similar cybersecurity standards.

State Regulations

Even for lawyers who do not represent entities that are subject to federal cybersecurity regulations, all American lawyers are subject to state regulation and disciplinary authority. Many states, along with the American Bar Association, have issued rules or advisory opinions relating to the cybersecurity obligations and lawyers and law firms.

For example, Formal Opinion 477R, which was recently issued by the ABA Standing Committee on Ethics and Professional Responsibility, “explained a lawyer’s ethical responsibility to use reasonable efforts when communicating client confidential information using the Internet.” In addition, the same Standing Committee issued Formal Opinion 483, providing new guidance “on an attorney’s ethical obligations after a data breach.”

Under the ABA’s Formal Opinion 477R, “[a] lawyer should understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information.” In addition, Formal Opinion 477R notes, “[l]awyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters.”

Similar rules exist in most states. For example, in California, attorneys will be deemed to have violated their duties of confidentiality and competence if they fail to take the proper precautions to protect client data. Similarly, in Florida, “[l]awyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained, that the service provider maintains adequate security, and that the lawyer has adequate access to the information stored remotely,” and “[t]he lawyer should research the service provider to be used.”

In sum, under these Formal Opinions and similar guidance from various states, attorneys must exercise “reasonable efforts” to prevent “inadvertent or unauthorized” disclosure and access to client information, including by staying up to date on technological developments and threats.

For this reason alone, ignoring the realities of digital threats will expose your firm and clients to potentially significant liabilities.

Because cybersecurity is an ever-evolving concern, simply drafting a document of best practices is insufficient. Therefore, NIST’s Special Publication 800 series on cybersecurity is regularly updated to keep cybersecurity standards as current as possible.

NIST SP 800 is a series of documents that not only detail cyberthreat prevention practices, but also consider and showcase feasibility and cost-effectiveness of the suggested standards.

Although these standards are voluntary, maintenance and implementation of the standards would likely stave off or at least help prevent liability in the event of a data security breach.

Compliance with the NIST SP 800 series is not as intimidating as it may first appear. For instance, NIST 800-171 covers the secure sharing of information. Federal Computer Week boils compliance with NIST 800-171 down to seven essential steps.

Adjusting the language of the guidelines away from government specific applications, and to suit the needs of law firms, gives you the following list:

Identify systems that contain sensitive information

Separate sensitive information from more benign information

Limit access of sensitive information only to authorized employees

Encrypt all data, including sensitive information

Monitor access to sensitive information

Regularly train and retrain employees on cybersecurity best practices

Regularly conduct security assessments of all systems

Although more detailed examination may be required by some law firms whose needs are greater, many law firms would be well-suited to at least implement and then regularly refresh the simplified list above.

As helpful as automation and other applications can be, if the applications do not comply with cybersecurity best practices, they become security risks in and of themselves. Stated differently, non-compliant legal applications can be more trouble than they are worth.

]]>Lawyers may receive sensitive documents from clients quite often, depending on their specialization. Whether you’re a real estate lawyer receiving mortgage documents, or a criminal lawyer looking at death certificates and other important legal documents, you likely deal with sensitive information on a regular basis—information that might be useful for hackers and fraudsters in some way. The importance of keeping a client’s information secure isn’t lost on most professionals, but many may not know how to make this happen in practice. The world of cyber security changes pretty quickly, and unscrupulous individuals are always looking for new angles to gain access to information. While certain criminals may use complex tools to force their way into computer systems, some of these methods may be more “low tech” than you might expect.

Short of hiring a dedicated cyber security staff to your team, the following habits and actions can make email communications much more secure.

Password Security

Passwords prevent unauthorized use of email accounts and other online accounts. Easy to guess passwords leave lawyers (and the clients they’re communicating with) vulnerable to discovery by cyber criminals. If an account is ever compromised, the password needs to be changed.

Two factor authentication can be a great failsafe for any password that is cracked, as it will add another level of security to an account. However, it is important to understand that this is not a cure-all solution. If a criminal is able to take control of your phone or the account for your cell phone plan, they may be able to bypass this security measure.

Avoid writing passwords down, and never record their password openly on your phone. All other security measures are pointless if someone can walk by your desk and learn your password.

Regularly changing passwords, while a good practice in an ideal setting, can present security risks if these passwords are not remembered. Lawyers having a hard time remembering their password should use a reputable encrypted password manager. This secure software generates, retrieves and tracks passwords for users.

Lawyers who choose not to use a password manager and who instead generate their own passwords should make those passwords very challenging yet memorable. This means using passwords that have a variety of uppercase and lowercase letters, special characters, and numbers. It is typically suggested to not use words found in the dictionary, but that doesn’t mean memorable variations cannot be utilized. A password like “Numb3r_1_L4wy3r!” might be a bit funny-looking, but it is quite strong as a password while being relatively easy to memorize.

According to a Verizon Data Breach Investigations Report, over 70% of employees re-use passwords and 81% of breaches were due to “stolen and/or weak passwords”. Re-using the same passwords across multiple applications or platforms just gives hackers the ability to access sensitive data in multiple locations. Lawyers must take care to ensure that their email password is unique.

Education and Avoiding Social Engineering

Even if a lawyer is doing their part to make their email secure, their efforts could be for nothing if they aren’t educating people who work in their office. It’s also vitally important to educate clients about email best practices. No matter what security measures are in place, email is not a completely secure medium. Lawyers can protect their clients by avoiding use of email for sensitive information.

This requires the client to never send anything over email that contains a social security number, bank account number, credit card number or another piece of sensitive identifying information. These instructions should be given to clients on their first communication with the lawyer, and repeatedly thereafter. They can be told what requests they might expect or not expect to receive from your email.

One popular way that sensitive information is obtained is frighteningly simple—the criminal simply asks for it. Fraud often occurs when clients receive an email from a similar address to your own that asks for sensitive information. Firms and clients may be targeted by fraudsters posing as legitimate businesses with emails requesting payments for services or simply a log-in verification using similar tactics. If a vendor’s email is sales@vendor1.com, someone looking to pull off this scheme may use an address like sales@vendor01.com in an attempt to trick the reader.

Lawyers can teach the people who work in their office, from the receptionist to the other lawyers, to have a critical eye when emails like this come through. Sending reminder emails periodically, and training all new employees about the best practices for protecting client information, can help prevent a breach.

Your clients must know their information is safe with your office. By training your employees, educating clients, and taking proper measures to protect client information, you can help stop cyber criminals from accessing your firm’s data.

]]>https://www.lawtechnologytoday.org/2019/06/email-security-tips-for-lawyers/feed/0Best Ways to Secure Your Legal Sitehttps://www.lawtechnologytoday.org/2019/06/best-ways-to-secure-your-legal-site/
https://www.lawtechnologytoday.org/2019/06/best-ways-to-secure-your-legal-site/#respondThu, 06 Jun 2019 15:00:00 +0000http://www.lawtechnologytoday.org/?p=10299There’s no doubt that for a legal firm, cybersecurity is a priority. And there’s a ton of reasons for that.

]]>There’s no doubt that for a legal firm, cybersecurity is a priority. And there’s a ton of reasons for that:

You’re storing personal data of your clients, who also provide you with billing information that should be well-protected.

Your own financial, human resources, and other procedures are under threat if your cybersecurity measures aren’t substantial enough.

Your whole practice and cases you’re working on are under a constant threat of being stolen or leaked if you don’t secure your online activity.

Cybersecurity has been a widely discussed topic for over two years, and yet neither governmental institutions nor private companies take online security seriously. In an interview to CNN, Erik Brynjolfsson, a professor from MIT, commented on this issue back in 2018, saying that cybersecurity systems are so atrocious that not only websites and social networks, but banking and voting systems aren’t secure from being attacked by hackers.

Multiple cyber attacks over 2017 and 2018 have shown how detrimental lax cybersecurity systems can be. Not to mention that they can cost your legal practice over $2 million, the most expensive component of a cyber attack being information loss (comprising 43% of all costs).

Attacks on websites are also among those frequently occurring instances of cyber attacks, as they contain a lot of important data on how a company operates, not to mention that your website is your online business card.

So, what should you do to secure your legal site from malware attacks?

Here are some tips.

HTTP vs. HTTPS

It is common knowledge that the majority of websites use HTTP (Hyper Text Transfer Protocol). This is a basic system that helps information appear on your website. However, back in 2014 Google recommended all website owners to transfer their sites to HTTPS (Hyper Text Transfer Protocol Secure), claiming that this protocol system will secure them from online threats.

The main difference between HTTP and HTTPS is that the latter has an SSL Certificate, meaning that HTTPS has extra security in a form of data encryption. SSL Certificate is extremely important for the websites that contain sensitive data like passwords, financial data, etc. Legal websites may contain data on current practices and cases, which is also under the danger of being leaked. Securing your website with HTTPS protocol gives you extra protection against cyber attacks.

Cloud Backup

Cloud storages have become widely popular in the business community, with 85% of businesses already using this technology to store sensitive data. Here are the reasons why your legal firm should do it too:

High usability: cloud storage easily syncs with your devices, so if you create a document on your computer, it instantly gets uploaded on a cloud and you can recover it at any time.

Emergency recovery: cloud storage is a good backup plan in case of an emergency. And a built-in security system, used by all cloud storages, provides your documents with extra security.

Versatility and accessibility: documents, stored on clouds, can be accessed from anywhere.

A big advantage of using cloud storage for backup is their cost. Purchasing a gigabyte of online storage will only cost you around three cents, with additional features to boost your security. Investments in cybersecurity, in general, can cost your legal firm millions of dollars annually, and although this investment is worth its money, you can save on backup using cloud storage.

Two-Factor Authentication

For all the information you store on your website you might need extra security layers. This can be ensured by implementing two-factor authentication—a system that requires a person to present at least two pieces of evidence to be allowed to enter and use sensitive data.

For instance, you can ask a person to enter not only login and password but some extra data like the maiden name of their mother or university they went to, before allowing them to enter your website. “We’ve implemented two-factor authentication after launching our app, and we never had security breaches since,” says Martin Harris, app developer at Flatfy.

Indeed, research shows that multi-factor authentication is becoming a trend in online security with new features, like behavioral indexes and personalized password generation systems being introduced to secure information online.

For a legal firm, two-factor authentication is a must-have. It is important to remember that you store a lot of sensitive information important not only for your practice but for the security of your customers. Implementing this system will give your legal site an extra level of security.

The Bottom Line

It’s a fact that cybersecurity should be taken more seriously. Yet, many companies still miss out on many opportunities and technology that can protect them, suffering insane budget losses.

Lesson here? Invest in making your legal site more secure to protect valuable information. In the world, where cyber attacks get more and more common, increasing cybersecurity is not just a whim. It’s a necessity.

]]>Some have used the old joke about the check being in the mail to equate the biggest lie on the internet as agreeing to the terms and conditions. We are all guilty of scrolling quickly to the bottom of the page, searching for the place to click on agree in order to move on with our purchase. A 2017 Deloitte survey reported that a whopping 91% of the population does not read anything before agreeing to the legal terms for use of mobile applications and websites, including social media sites. Further, if you look at people ages 18 to 34, almost everyone accepts the terms without reading, with the rate climbing to 97%.

When you check “Agree”, what does it really mean? The answer is within those lengthy legal terms and conditions and, unfortunately, without reading, you cannot be at all sure what you are signing for with that one click. Not only do people skip reading the terms and conditions because of time pressure, but the lack of plain English and overuse of legal jargon puts the average person off from an attempt.

Privacy

A hot topic is the privacy of your data, which ranges from basic information like an email address or a mobile phone number all the way to personally identifiable information (PII). The latter includes social security information and credit card data. The same Deloitte Survey cites that people are concerned about privacy with respect to the internet of things, particularly smart home technology. However, again almost everyone will agree to terms and conditions for these devices without reading about any impact on privacy. And then when the cold calls and spam emails start, everyone forgets that they visited that site and agreed to terms without a second glance.

What’s In, What’s Out?

As an example, the Apple Media Services Terms & Conditions are a full 12 pages long and do not include the privacy policy which is totally separate. However, those privacy terms are actually agreed upon when the user accepts the overall terms. On page two, there is a line that states “Your use of our Services is subject to Apple’s Privacy Policy, which is available at https://www.apple.com/legal/privacy/.”

Companies place links to external policies in the terms and conditions and then because it’s all included in the overall document, you are actually agreeing to much more than meets the eye if you do take the time to scroll through.

Copyright and Trademarks

Intellectual property is almost always included in the terms and filled with technical terms and infringers risk hefty fines. The average user does not understand the difference between a copyright and trademark and would still be confused by the wording around intellectual property prohibitions and protections in these terms. Yet, when you click on the accept button, these complicated provisions now apply to your use of the website.

Newsletters

The spam calls have spilled over into our inboxes as unwanted newsletters and other marketing materials constantly ping us. You can take the time to unsubscribe by scrolling down to the very bottom to the required link for every email. Side note, make sure that your marketing emails give the user the ability to opt out. Many think that they never signed up for that particular newsletter or update but likely when you were joining the website, you did not read the fine print and agreed to the terms that included receiving regular emails.

On a lighter note, two university professors, Jonathan Obar and Anne Oeldorf-Hirsch, put together a fake social media site, NameDrop and ran an experiment to see how many of the 543 participants ignored the privacy policy and/or the terms of service. Not surprising, 74% of those participants jumped to use the quick join option and did not read the privacy policy. Of those that did not use quick join, an average of 73 seconds was spent reading the privacy policy. Based on average reading speed, this privacy information should have taken about 29 to 32 minutes to read. Even worse was the terms of service, where everyone had the opportunity to read and should have taken about 15 to 17 minutes on average. Instead, people spent exactly 51 seconds. Only 3% of people declined the privacy policy and 7% rejected the terms of service.

Interestingly enough, NameDrop terms of service had some buried gems in their terms about sharing people’s data with the NSA and their employers and giving up a first-born child for SNS access. More proof that no one reads!

In summary, other than encouraging people to read the terms and conditions, not much can be changed from a human behavior point of view. However, companies can pare back the length of these agreements and more importantly, write in plain English. The legal speak prevalent in many policies and terms are not customer-friendly and pointing to the fine print on a website as a justification will not serve your brand well. Instead, creating a brief summary or frequently asked questions, particularly with respect to privacy and cybersecurity could provide that needed connection with the user.

]]>https://www.lawtechnologytoday.org/2019/05/clicking-away-your-privacy-and-more/feed/0How the Cybersecurity Act is Changing IoT Securityhttps://www.lawtechnologytoday.org/2019/05/how-the-cybersecurity-act-is-changing-iot-security/
https://www.lawtechnologytoday.org/2019/05/how-the-cybersecurity-act-is-changing-iot-security/#respondWed, 08 May 2019 15:00:00 +0000http://www.lawtechnologytoday.org/?p=10153Lawmakers are in a race against time to ensure that the the new technology is safe for users.

]]>Twenty-six billion devices are currently connected to the internet of things, but by 2025, this is expected to skyrocket to 75 billion. Lawmakers are in a race against time to ensure that the new technology is safe for users. As more everyday objects get hooked up to the internet, there is increasing the opportunity for hackers to gain access to sensitive information or take over an object remotely. While some American states have made progress in passing internet security laws, it is the EU that is leading the way. The Cybersecurity Act, originally proposed in 2017, has two main objectives: to offer stronger levels of certification and give teeth to the European Union Agency for Network and Information Security (ENISA), so that regulations on the IoT can be enforced.

Levels of Certification

Certification is just a means by which businesses can evaluate the strength of their security. This is carried out on a voluntary basis, but it gives customers an idea of the safety level of their devices. As more and more properties have integrated tech, certification allows homebuyers to rest easy knowing that they have full protection.

When new properties are developed, they are more likely than ever to have IoT capabilities, even before new owners have moved in. The EU Cybersecurity Act will allow house hunters to know whether the tech is covered by basic, substantial, or high protection. If it is at a basic level, then this means that only the business has carried out assessments and put minimal protections in place. If the certification reads substantial or high, however, then European buyers can rest assured that rigorous government checks have been carried out.

Granting New Authority to ENISA

ENISA is an organization which checks and enforces that proper security features are in place. Their current mandate, however, ends in 2020 and they have little authority to compel tech companies to act in accordance with regulation. The new Cybersecurity bill seeks to change this.

ENISA’s mandate has now been made permanent, meaning that they will be able to enforce their own rules for many years to come. Organizations across the EU now recognize this agency as being the ultimate arbiter on whether standards of security are strong enough. It also means that extra funding is being pumped into ENISA so that they have the means to back up their mandate.

How Businesses Will Be Affected

Security professionals have welcomed the Cybersecurity Act, but US tech firms are concerned at the extra bureaucracy that could be placed upon them. It is likely that California will be the first state to introduce legislation. This also happens to be where many tech firms are located. Ultimately, time and cost for businesses will increase, but receiving a high certification is a way to ensure no future problems occur and that customers feel protected.

The Cybersecurity Act has been rushed through the EU legislative process in order to keep up with a rapidly changing world. Tech will soon be built into all new homes, but this opens up security risks. Getting a headstart on laying down regulations will keep customers safe as they enjoy the new convenience that comes with an IoT home.

]]>https://www.lawtechnologytoday.org/2019/05/how-the-cybersecurity-act-is-changing-iot-security/feed/0How To Keep Your Personal And Business Data Safehttps://www.lawtechnologytoday.org/2019/03/how-to-keep-your-personal-and-business-data-safe/
https://www.lawtechnologytoday.org/2019/03/how-to-keep-your-personal-and-business-data-safe/#respondThu, 28 Mar 2019 19:00:00 +0000http://www.lawtechnologytoday.org/?p=9933It’s best to avoid any unpleasant conversations about stolen or lost data by preparing for the threat instead of ignoring it.

]]>In 2017 alone there were around 16.7 million cases of identity theft online, a record high following the previous record high of 2016. It is evident that criminals are finding more and more ways to steal data in efficient, covert ways. Companies like Wells Fargo and Google, among dozens of others, have had to face severe backlash for losing their consumer’s data and having their privacy breached. In an occupation like law, data breaches can be even more damaging—how can clients trust lawyers and firms who can’t secure their private information? Whether you’re looking to protect your personal information or getting started setting up shop as a freelance lawyer, keeping your data secure should be one of your most pressing concerns. Fortunately, adhering to the following steps will help keep your data safe.

Set Up A VPN

A VPN (virtual private network) is a must for both individuals and firms. A VPN works by creating a secure tunnel between you from the websites you visit and the data you store. When working online, the data is transmitted and protected by this tunnel. This allows you to both browse anonymously and safely, as VPNs use encryption to hide your IP address, emails, banking, and make conversations with clients indecipherable. A VPN is an integral step towards making your data secure, and with so many out there, it can become a hassle to find the right one that works for you. Look up reviews of popular VPN software to be sure you’re getting a reliable product and search for one that meets your criteria.

Keep Backups For All Files

The number one cause of data loss for firms? Hardware or system malfunctioning, with more than two-fifths of users experiencing this problem. Losing your data in the law profession can be simply disastrous. Imagine putting a months worth of work into a client only to discover that your computer malfunctions and you lose it all. To avoid this, find a reliable way to back up your data. It’s recommended that you follow more than one of the following steps in order to assure that you don’t lose any important information.

The easiest way to make sure your data is secure and unlikely to be lost is to keep hard copies in a safe, ideally a fireproof one. Data security is no joke, as it can be worth more than money in a variety of situations. In fact, it’s the world’s most valuable resource. However, a safe should only act as a last resort—it’s simply too time-consuming to recover all of your data from hard copies. It’s better to find an online storage container, like Dropbox or Backblaze, to keep electronic data accessible at all times and from wherever you are. If you’re too concerned with data being stolen or want to be as safe as possible, back it up with a physical hard drive that you keep on you or hidden in a safe spot. You should always have your data backed up in more than one way.

Have A Quality Anti-Virus Program

Anti-virus programs are a requirement on any computer with data worth keeping safe, and more so in the law profession, no exceptions. Malware built by criminals can sneak into your computer covertly through a website or program and slowly infect it, stealing data or forcing you to pay to recover it. Avoid this by using a reliable antivirus protection software and by scanning for threats frequently—do not wait for the malware to find you. Be proactive and uncover it before it can even attempt a breach. Antivirus programs retroactively scan websites and files for any type of harmful viruses, worms, or attacks to prevent a breach of any sort. Antivirus programs are also constantly being updated to refresh their virus registry to ensure that any new viruses are detected and prevented.

Working in the field of law can be both stressful and immensely rewarding. As any lawyer knows, there are a plethora of things that can go wrong with a client at any minute. It’s best to avoid any unpleasant conversations about stolen or lost data by preparing for the threat instead of ignoring it. Keeping computers and data safe is more relevant today than it was in the past, and it will continue to be one of the most pressing concerns for individuals and firms alike. Backup your data, set up a VPN, and invest in an antivirus program to make yourself secure online.

In 2017, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477R, which “explained a lawyer’s ethical responsibility to use reasonable efforts when communicating client confidential information using the Internet.” More recently, in October of 2018, the same Standing Committee issued Formal Opinion 483, providing new guidance “on an attorney’s ethical obligations after a data breach.”

Under these Formal Opinions, lawyers must not only safeguard client data, but they must now also notify a client if a data breach exposes their confidential information.

The recent Foley & Lardner incident serves as a reminder that law firms “remain high-priority targets of hackers, ransomware and, more recently, nefarious miners of cryptocurrency.” According to Lawyers Mutual, 22 percent of law firms experienced a cyberattack or data breach in 2017. That’s up from 14 percent a year ago.

Nature of the Cyberthreat

It almost seems common to hear that an organization has been hacked. However, the legal sector stands out among others due to its large cache of sensitive client data, which makes law firms an attractive target for hackers.

“From patent disputes to employment contracts, law firms have a lot of exposure to sensitive information. This confidential information is often stored on on-premise enterprise systems at law firms. This makes them an attractive target for hackers that want to steal consumer information and corporate intelligence. For an example of this, look no further than the Panama Papers – ‘…an unprecedented leak of 11.5 million files from the database of the world’s fourth biggest offshore law firm’,” wrote Dan Steiner in CIO.

As previously noted, in response to the increase in sensitivity to cybersecurity and data breach risks, ABA Standing Committee on Ethics and Professional Responsibility expanded upon a lawyer’s ethical responsibility to secure client information when communicating digitally to now also address a lawyer’s ethical obligation to a client after a data breach exposes their confidential information.

This latest ethics opinion – Formal Opinion 483 — includes new guidance for lawyers to meet this obligation when handling post breach measures.

Depending on the incident and the lawyer’s knowledge regarding the incident, Formal Opinion 483 references five rules imposed by the Model Rules of Professional Conduct.

Model Rule 1.1 requires duty of competence. A lawyer must have the legal knowledge, skill, thoroughness and preparation for the representation of a client. This includes the understanding the basic features of relevant technology.

Model Rule 1.4 addresses a lawyer’s requirement to keep clients “reasonably informed” on the status of their matter.

Model 1.6 focuses on the client and lawyer relationship in which a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.

Model 5.1 highlights the responsibilities of a partner or supervisory lawyer to make reasonable efforts to ensure that the firm has effective measures in place, conforming to the Rules of Professional Conduct.

Model 5.3 discusses the responsibilities of a law firm to have effective measures giving reasonable assurance that nonlawyers’ conduct is equal to the obligations of a lawyer.

Applying these pre-existing obligations in the context of a data breach, the ABA Standing Committee noted that “[c]ompliance with the obligations imposed by the Model Rules of Professional Conduct, as set forth in this opinion, depends on the nature of the cyber incident, the ability of the attorney to know about the facts and circumstances surrounding the cyber incident, and the attorney’s roles, level of authority, and responsibility in the law firm’s operations.”

One thing to note is that Formal Opinion 483 references – but does not otherwise address — other laws that may impose post-breach obligations, “such as state breach notification laws, HIPAA, or the Gramm-Leach-Bliley Act.” Instead, the ethics opinion states that “[e]ach statutory scheme may have different post-breach obligations, including different notice triggers and different response obligations.”

Additional research and expert consultation may be required, and it is best practice to analyze compliance separately under every applicable law or rule.

Recommended Reasonable Efforts

There are various steps you can take to prevent or reduce the possibility of a data breach.

Your first order should be to see if any of your firms’ processes that involve technology are updated and secure.

“The opinion states that these efforts may include restoring or implementing technology systems where it is practical, but also declining a technology solution if a task does not require it. The idea here being that internet-enabled services increase a firm’s vulnerabilities,” wrote Jason Tashea in the ABA Journal. As stated in Model Rules 5.1 and 5.3, lawyers must make reasonable efforts to establish internal policies and procedures to detect and resolve conflicts of interest. Monitoring and updating any technological processes within your firm are an easy way to achieve this.

It’s easier for hackers to find and exploit vulnerabilities if they exist, leaving the issue to be magnified when the software publisher or device manufacturer no longer provides support for the product. Old software and devices substantially increase the chances of a data breach because they haven’t been updated to address the latest security threats.

Clients are becoming more tech-savvy and are seeking lawyers who are implementing more secure methods to safeguard their data. In fact, a Microsoft survey found 91 percent of people would stop doing business with a company because of its outdated technology.

Implementing secure communication and collaboration tools like email encryption and secure client portals are a simple way to protect client data.

For example, email encryption is built into many web-based platforms, like Google’s Gmail and Microsoft’s Outlook. There’s another option known as PGP encryption for lawyers seeking more secure communication methods. Secure online client portals that are built in to other software programs is another method to further protect your client’s data.

Communication with clients is key to their representation. As Formal Opinion 477R addresses, lawyers are responsible for protecting client information when communicating digitally. It’s best practice to utilize the tools available to secure — and possibly also encrypt — any digital communications between you and your client.

A report published by Above the Law states that “email is the weakest link for many law firms, with phishing emails being one of the most common types of hacking encountered by lawyers.” Phishing scams or attacks is the practice of fraudulently sending emails from what appears to be a reputable person or company to deceive the recipient into sharing protected client information.

Under Rule 1.6, lawyers are required to preserve the confidentially of information and to prevent the inadvertent disclosure of information relating to the representation of a client. Firms should train their staff on how to recognize and avoid phishing scams or attacks. Keeping your staff up to date on the appropriate handling of sensitive firm as well as client data is as important as keeping software and hardware systems current.

Alternatively, law firms can retain a cyber consultant. Cybersecurity experts can assess your law firm’s vulnerabilities, create incident response measures, and help you set up ways to protect your data. Measures like these are usually conducted by gauging if your law firm can detect or respond to simulated cyber-attack, and then providing practical recommendations to handle your cyber security moving forward.

Even with preventive measures in place, data breaches may still occur.

If this is the case, under Rule 1.4 and as Formal Opinion 483 addresses, lawyers are required to act reasonably and promptly to stop the breach and to mitigate any damage. It is their duty to inform clients of the data breach to the extent that a client can make informed decisions regarding the representation.

Having a protocol in place that everyone is aware of if a data breach occurs is essential for law firms. You will be able to better handle the incident to mitigate risks.

Solve the immediate problem (usually getting hackers out of your network) while preserving the evidence.

Determine whether you should call in outside experts or use internal resources.

If a data breach has taken place, what steps does the law require you to take?

Harden your security so this particular incident can’t happen again.

This acts as a starting point for law firms, and can be strengthened and tailored moving forward.

Conclusion

Data breaches have become prevalent in recent years. It is important to note that cybersecurity is a moving target and your commitment to safeguarding client data should thus be ongoing. Furthermore, it is reasonable to expect that the ABA Standing Committee and state attorney regulators will continue to refine and revise Formal Opinion 483 as technology and related threats evolve.

As one author recently wrote in the ABA Journal, “[m]any of the first ethics opinions on this topic wisely recognized that technology would change over time… with ethics committees acknowledging that accepted security standards would likely change as technology advanced and more secure options became available.”

It is best to be proactive rather than reactive in these situations. Have a plan in place in the event of a data breach. This will allow you to respond quickly and competently in the event of a breach event. Above the Law reports that “it is predicted that by 2020, 60 percent of businesses’ technology budgets will be devoted to detection and response.” The costs associated with a data breach, however, can be far greater.